After more than 8 years at Kentor the time as come to move on. I’m leaving Kentor and starting my own business. I will continue to work with identity and access management, especially SAML2 on .NET. I will do consulting, open source development and training, both on site and remotely. The Kentor.AuthServices project will be transferred to my new company, Sustainsys

Kentor.AuthServices 0.21.2 has just been released to NuGet. It is a security release fixing three issues.

XML External Entity Injection (affecting .NET 4.5 only)

Malicious IdP can cause write to arbitrary file

Flawed ReturnUrl validation leads to Open Redirect

The first two issues were reported by John Heasman, Morgan Roman and Joshua Estalilla from DocuSign. While I have dreaded the day when I would get a security issue I am extremely happy with the professionalism of the disclosure. I got the report privately, including detailed descriptions, reproduction steps and solid recommendations on how to fix it. I am very grateful you took the time to review AuthServices and find the issues and for the detailed reports.

I’m a fan of code coverage as a way to ensure that there are covering tests. One area that I tend to rely heavily on Code Coverage for is to catch any tests that are no longer working correctly due to changes in the production code. That often works out well, but today I got betrayed by the code coverage engine.

The code that I worked on contained an if statement with a multi-step && expression.

Of course I had tests that made the evaluation fail both because of importantValue and b. So what happend later was that GetAnswer() was updated, without the test for when importantValue being updated. Of course (my bad) that test had set b to true, causing the evaluation to fail on b, causing true to be returned. So the test passed, but not due to the thing I wanted to test. In a complex application, this is bound to happen every now and then. But usually, the code coverage scores will reveal that there is an execution path not covered. But not this time! The trustworthy code coverage analysis betrayed me!

Half a years worth of pull requests with great features have finally been baked into an official release of Kentor.AuthServices which is now available on Nuget. The most important fixes are improved active/passive handling for the Owin middleware and full support for SHA256/384/512 as it is time to leave SHA1.

First of all I would like thank all contributors and users that have had to wait for this while I’ve been on parental leave. A special thanks to Explunit who has made a lot of valuable contributions as well as reviewing pull requests and taken part in design discussions.

Breaking Changes

The public API of AuthServices is getting more and more stable, but nevertheless there are some breaking changes.

The Owin Middleware is now once again Passive by default

The Owin Middleware will act as Active during Logout, even if it is configured as passive. This can be disabled with the StrictOwinAuthenticationMode compatibility setting.

On .NET 4.6.2 and later AuthServices now by default generates SHA256-based signatures and only accepts SHA256 or stronger signatures.

The “clever” ReturnUrl expansion has been removed as it proved to create more problems than it solved.

I live in Sweden and one of the great things with that is that as a dad you can get months off for being with your kids while they are small. My youngest turned one in the end of May and a few days later I did my last day at the office for 2016. Since then I’ve been spending my days at home, seeing him learning new things every day. But now that period of my life is over and I’m back to work and he’s started at daycare.

As a dad, saying good bye to him and leaving him is of course hard. He on the other hand couldn’t care less. He’s at a new exciting place with a lot of new interesting things to explore.

I have interesting things to explore too. The world of software development moves fast and 6 months absence from active work means things have changed. .NET Core has been released and the tooling is quickly maturing. It’s time to look deeper into it and create an ASP.NET Core version Kentor.AuthServices to bring SAML2 to ASP.NET Core. But first there’s the SweTugg conference where I’ll do two talks. The first is a new one about real life TDD experiences with live coding real features in real projects. The second is an overview of security in ASP.NET Core.

Then there’s a ton of e-mails that I’ve not answered to in a timely manner. I’ll go through them but answering all of them will take time. There’s also a queue of Pull Requests in AuthServices that need to be handled. First in line are of course those from paying customers with valid support agreements. The rest will be reviewed when I have time.

Last, but not least this also means I’m available for consulting again, so if you need some services within my areas of expertise, please get in touch.